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Translate this text 

Methods and apparatus are 
presented for providing local 
authentication of subscribers *x 
travelling outside their home systems. 
A subscriber identification token (230) 
provides authentication support by *"£ 
generating a signature (370) based 
upon a key that is held secret from a 
mobile unit (220). A mobile unit (220) s | 
that is programmed to wrongfully 
retain keys from a subscriber ^ 
identification token (230) after a 
subscriber has removed his or her 
token is prevented from subsequently 
accessing the subscriber's account. 
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[0018] 

^ ft ft a ^>y h 2 2 0 a An A m J; D £ ft ft a - y h 2 2 o ft if A * ft Tin A # M Wl h 

y 2 3 Ot7y?it>^- 2 4 0 0 0{±finA#»B'Jh-^^2 

3 OitflJnS. S^ + -3 0 OSff77?Aty/^-2 4 OCiSfii, 5Sfl^7-fe 
-^ 2 6 0, Hg-^ffi © Bf# (cryptographic Cipher) + — ( C K ) 2 9 0 , R |j£ 14 ( I nt 
egrity)^-(IK) 3 1 OSJSSt^ftlitt-SiSZ 5 0 t i DtfflSh*. CK 
2 9 0 M K3 1 0 t(±#ffta-7 h 2 2 Ot£ISnS„ 
[0019] 

& W] ft a - -y h 2 2 0 T» t± , ffl ft ft % (D * v -b - "J <D =f S « ft 7c ( i ntended) SffiAC&£ 
iy»l?nfl5J;7t, CK 2 9 0ttH#a^7l- 2 2 0 tVS2 1 0 t (DfS (DM it 

* Hg # fb -r s 7c 46 1 fs ffl * ft s d t ^ t* * s o a ft * ug ^ ft -r ^ < Bf ^ - * ffl -r § fc 

J6©K«tt, A^B^^IsSAtlgrS^ft, ?lffl^ftTii©^tii^ESft7c, SI*©* 

H#Sffli#^HO 9 / 1 4 3, 4 4 1 1, 1 9 9 8 ^8^28 HSfB, 
ftXhU-AHf^^^^-rS/ci6©77r£fcSH "Me t hod and Appa r a t 
us for Generating Encryption Stream Ciph 
ers"j tfiasnn^. ffiCHf^fbSWactD^icfBa^ft/c^ffi^SIC^HicfJ 

[ 0 0 2 0 ] 

I k 3 i o tit v -fe - s IS ft # (mac) sastSftiiKifflsn? e: e: 

•fe-S?tc^fin*nSo MAC*|«£t8fti60Sfii, *%i«ISA£II^ti, ?[ffl 
^ftTil©^t|I^E*ft7c, [HIif(iD*B#lTtfiIS^SO 9 / 3 7 1, 1 4 7 1, 1 

Method and Apparatus for Generating a Me 
ssage Authentication C o d e " J IE £E 2 ft T t/^ ■§ 0 MffikW^ 
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[ 0 0 2 1 ] 

ft fc 9 £ , I K 3 1 0 tt s ft * V -fe - V 9 il Jfll * £ * ft it - *£ £ SI f§ * ft S # S © If IS £ m 

-3^rcmmm%3 4 o^fst-gfc^tfM^nsct^f ts„ msmis^a s ft 
46S«t±^ *^i©iSAti»sn, ^[ffl^nTcic^tffi^^sn/c, ab#m^ 

H 5 , 9 4 3, 6 l 5f, it-f r|IIfi/Xfik:6^TSHr*ayf^*a« 

t^ftfeCSStif "Method and Apparatus for Prov 
iding Authentication Security in a Wirel 
ess Communi cat ion System" J id IE M 2 ft T ^ S 0 tl fl W £ 3 
4 0 a I K 3 1 0 £ S ft f* a ^ -.y h 2 2 0 *^O^7i!-->" 3 5 0 tg*^b*§A7'> 
if? (hashing element) 3 3 0 © £B * T 3 0 fg fl g £ 3 4 0 £ ^ >y -fe - A 3 5 0 t it 
Ilti 5 (over the air) V S 2 1 0 £ * ft S „ 
[ 0 0 2 2 ] 

H 2 tl^nS «t 5 N Bf^ffcA- 2 9 0 £ffi£14 3r- (integrity key) 3 1 0 t It tU A 

# it m h - 2 > 2 3 0 5 & ft f* a - h 2 2 OtSIJft, fnaaitJ;i5A7'J7 

* • 7* -f -fe 5 A- 3 > (public dissemination)© ft J6©A-^-7b-A£r^ALf!W-§ 

0 Zl O K« ttft "5 M#-TS A (eavesdropper) tfK£fc«fc ^Oi v 

S©^K<-'cttf^tS-Jt, d © g ffi tt d - A • i/i;l/li:j;«affr6«)fi|*!lffi 
Lftt^o P- A • -> x;Krogue shell) 14, C K 2 9 0 J: I K3 1 0 Atl5 i ^ 

£, * LtfClfC J; 5 ft^-©#££ n-*;l/^ * U 6 -fflt? (purging) j; D H 

73ffitt, ^ftf*a^>y h 2 2 0tfffi©ffi«'\©£ff*-££ffif3«fc5£7n?7A'fS 
il i: -e S o CK2 9 0 t I K3 1 OifitCft, ftD A ^ £ * PS © ft ^ 3 f§ £ ^ IE £ j£ ^ 
•T § (bi 1 1) ft 46 £ ffiffl * ft 3 d t W T* # S o * - A X r A 2 0 0 * ft ft ^ > ^ A 

73 ffi t? (in a manner that is insecure)^ ffl Jtl5'>Xf At fe^t, d © P - A • £/ x 

[ 0 0 2 3 ] 

p - a • j/iMftitTfiits i n ffi m n t± , *p a # §s so h - ? y © s a m l £ & 

H ft {* a ~ y HciDBS2h#4^tfi**l8St8ftftli:, A p b v A i: in A # fl 
gij h - 9 y ft © ^ ^ y t^Sfflts, 

[ 0 0 2 4 ] 

M 3 f± iS IS a ft '> X A A £ *3 1/> T tiQ A # © P - ii II II * M ft T % ft ib © 1 ft M B H * H 
gfg 0 An A # IK g'J h - 7 y 2 3 Olillfta;-; h 2 2 0 £ M 2 ft 

% ^ ^ - £ a -3 ^ ft fl fl JS ^ * ^ A S <fc d fc 7° p 9 =7 A * ft 3 o fe L fe » A # 

£ £ D fS ffl 5 ft ft H ft f* a - h ^ p - y • y x ;l/ T? ft «\ * © p - 9 • 1/ x ;!/ f± iB IE 
ft IS fl JS ^ * B il A S d i: ii T? * ft ^ 0 
[ 0 0 2 5 ] 

H2icfH^^ftft/3rSi;raaic; 1 ^ijf*a--y h 2 2 0!±toA#!15?Jr--^y2 3 0 ^5 
SfS^ftS I K3 1 OtVS 2 1 0 £ ^ ft S ^ # * -y-fe - i: £ S r3 ^ ft m & it ^ % IS 

tt§. L^Lft^s, iiiffi^si-ei±, g«i^av st(ii?tx4i/\ m^mmtm 
xmmm y - 9 y 2 3 0 ti? n-c, -si«t^*%it« ft * £f^»^- t - Steffi 
ffl^ft^o -^i«fl^i±fifta^7 h 2 2 otitH^n, ^fti±M©ft 46© v s 2 

1 0 £ - # w « fi ^ * )« s £ m it a s „ 

[ 0 0 2 6 ] 

hs 2 0 0 it 7 y 9 a A y ^ - 2 4 0iiAnA^^giJh-^y±£fS^^ftftS^^-©fti 

llCltJlAtflBS (XRE S) 2 7 0 ^f4t§„ 7>?Af 2 4 0 fc X R 

E S 2 7 0 J:ftV S 2 1 Otlf^nSo HS 2 0 0 t V S 2 1 0 t (Df|©Ifl(±B 1 t 
fE$2ftftA?£7?M£2ftSo V S 2 1 Ottflfta^-y h 2 2 0 £ =y y A A A > ^ - 
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2 4 O^IfLT, f lfta^>y h 2 2 0 ^6il^7t-i>'2 6 OOlf^fOo BM 
* y -t - V 2 6 0 tXRE S 2 7 OfcliVS 2 1 O © it K it ? 2 8 Ofi£K?n? 0 t 
L fe 5S fg ^ -y-fe - V s 2 6 0 £ X R E S 2 7 O t & V y f- T ft «\ V S 2 1 Oliftfta; 
-y h 2 2 Ot+f-H , X?:jfiLi»So 
[ 0 0 2 7 ] 

v 2 2 oajnAf iaDiifta^7 h 2 2 o tm^wicmtisz tirctinA^ 
mmv-v y 2 3 oiL7>nt>/t-2 4 0 ^ is 11 -r s 0 g ^ * - 3 0 0 1± m a # ft m 
h-z y 2 3 oitiisns. s £ * - 3 0 0 h^y ^ hi-y ^~ 2 4 0 torn mum 

|^'yt-^ 2 6 0 , Bg # ^ - ( C K ) 290, (IK) 3 10, SffUIM 

flfl^-(UAK) 3 2 0 S?64tSftJ&t + -^§S 2 5 0 £J;»)ffiffl2nS„ CK2 
90fc I K3 1 0^ttilfta^7h220tgl?n?o 
[ 0 0 2 8 ] 

ilfta;^ h 2 2 OT\ CK 2 9 0ttgl7 , -?71/-i (|3 tgg^f ) £ Bf # f fc 
tSftfttffflSni. I K3 1 0 tt g £ ft ^§ 3 4 0 ^?l4t-SfeJ6tfM2tl?o g * 
ft # 3 4 0 tt I K 3 1 0 t & W] f* a - 7 h 2 2 0 5 © ^ 7 -fe - *J 3 5 0 ± fc , Ay>/ a 
S It © d; ? ft , Bf^lft:?!^ (encryption operat i on) £ /£ i± it 73 [rI M © (one-way operation 

) *?f^-rsw«^*S33o©tH*T*a5So m « ft ^ 3 4 0 t± » a m m m h - 7 y 2 3 

Otgf Sn«. iHAf igiJh-^^ 2 3 0 T\ 3 4 0 tUAK3 2 OilB-* 

3 7 0 %^§tSft»(Cf«58Si3 6 OtiOIIJnS, -««f§^3 7 
0ag»fta-7b 2 2 0 t, * L T V S 2 1 0 \Z & ft * ft , f Cfftflllf 3 8 0 tt 

ftAfOT'ffyf'ff -f*SKt«. «IISf 3 8 0ttl*if 3 4 oi:-SI*ff 
370fc*S^-rSJii:tj:DtftiE*^fi8-rSJ:i:^T?#So ftbDt, M ? 3 8 o 
}± «j ft a - y h 2 2 0i!p5i*if 3 4 o*Sit8i:i:i!i , ?t, 3 7 o 

[ 0 0 2 9 ] 

W « f§ ^ 3 4 ORci'V S 2 1 0?O-*i*ff 3 7 0 © B £ & , ^J3^3fcKffirfc«fc!> 
M 2 ft f# S 0 lll^H'Pa, ilif 3 8 oa*-ii/Xf A 2 0 0 i)^©UAK3 
9 0&tfte-&tt*-*SflT?#So & IE H ? 3 8 0 1i$fcfifta^7 h 2 2 0 5 * y 

[ 0 0 3 0 ] 

An A ^ H 5?J h - 7 > 2 3 0ft©ig£M#§3 6 0 fct * U tyO'ty^iSiAaci:*' 
# , C C t? 7° a -t -y -9- « !/> 5 5 ft S ffi £ f£ ffl L T A * £ SO, H T S J; *> £ #§ $c * ft S d 
£tf RTtg"Z?fc3 0 d ft S ©MttBf^ffcRS, A 7 y a |l, $ k fi # rT $ » © S £ 
KSCfc^tfffSo 1 M <h b T , An A # ^ SiJ h - 7 y £ i D ffi 5 ft f# § 1 S « , 19 
9 4^5^ Mlf MSM (FIPS) PUB186, " (D i 

gital Signature S t a n d a r d) " tJ^TM?nft, gi^f 

7a7*n'JXi ( s h a ) -z? s s „ An A # ft g'J h - * y «fc D H ff * ft % %> fe 5 i o © 

S ffi f± , 1 9 7 7 fp 1 ft , F I P S P U B 4 6 £ *J ^ T £ ft 5 ft , r - ^ Bf # ft fli *P 

( d e s ) tfeSo cotfi^ffifflsnT-cfc^tc, « fg " at ^ f b " © m. ffl t± ^ f l t a 

^rTj^ Wz?*Sttfttf ftS^v^d t*«WLft^o c c £fH3S^ ft/cH»HT fi, ftfftt 
[ 0 0 3 1 ] 

^-14^ 2 5 0 feS/c^ty i:ynt7tfc^f i§ilfc^ft§„ HRfc, l H» 
Ita, #-©7°n^-y^^S«fg^g§3 6 0i:^-|§^#g2 5 o i 
5ti^2tlgLtffT'tS„ ^!It±^!iE*?3 8 OT'^CA±(^?.rai:|ga^|f*LT 

[ 0 0 3 2 ] 

±IBHSS^H©«J: D # IB ft E 3zR Tf {± , M5SM3 3 0 }± C © fp- 1 H M A C - S HA - 1 
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«r>aiittl*lf 3 4 0M£T£fci6k:ffMft#§3 3 o fiT?ttfflShff«:i: 
ffSIShft, -y is a ^ - X © M A C s ( H M A C s ) <D ffi m , It V7*-i?S 
SO/c6(D*-^y^A7'>all (Keying Hash Functions f 
or Message Authent i cat ion) ", ^^l^, Bf £| Jjx ffr (C ry 
ptology) t $5 It § jt*£ - Bjt-Sf (Crypto) 9 6lll, 3 y t: a - X • ^^xyX 1 1 0 9 # 
, X 7° u y # - ft r - 7 Xft 1 9 9 6 ft id $5 s if n / - h , fllClO&8Cii!i'?t« 
o HMACii, 2 X f y 7" © il K *5 ^ T , SHA-lOi^S, Bg *f ft m ~y ^ a a f£ ft fS 
fflt§MACX + -AT*$S. HMAC-SHA-lX^-Afii, # kRXfffim* 

-as ha- i m m ft *j ffi ft l , ^ ft a ^ © ^ ^ y -tr - ft © 1 ft ft ft x x h * £ $ -r s (p 

roduce) 46 t i£ ffl 2 ft S 0 C © * - & * © ft W, 1 © ft A ft x X h © 1 ft << ft x X h * ft 10 
^tS i5tS HA - lSBtffflSBfttSftfctffifflSftSo Li9$2C^i/*iXKi 

# ^ -yfe - is lc {t m Z ft S T? & 5 o M A C * m ft S o d CD ft £ IB $ * ft ft ft ffi ffy S "Z? a 
, iJDA#ligiJh-^y2 3 0 tj;Dfgft^ft§^^tt^-- (IK) » , SHA-l«|]ffl 
ftLTl^7y^ft&ffiS^-J:LT«ffl2liSLttft'tS 0 14 1^ » A # it »J h- 
-^y^5©i^fi*-£J;!5«]H^n§fiIfltf)HMAC(DllOfl^ U IM 

m m ft - 1 «t d « ffi f b * ft a ^ a # n m v - * y \H © h m a c © n ffi © m m t % m ft ft s 

H 25 5 o 
[ 0 0 3 3 ] 

H4£fe^T, H S 2 0 0 (i7y^ftt>^- 2 4 0 £ An A # M m h> - 7 > 2 3 0 ± t fS 

# * ft fc IB 8? fit IB © ftl » fc a -5 ^ ft ^ ffll JS «F ( X R E S ) 2 7 0 i: * 51 ft ft § o 7y^'A 20 
ty^- 2 4 0 tXRES 2 7 0 J:iiVS2 1 0 tif 2tl3, HS 2 0 0 tVS2 1 0 

t © m © a fi a m 1 tEasnftSffi^sitsn*, v s 2 1 oasn&fta-y h 2 2 
otvy^At y^-2 4 0 * m m t t , mm w a ^ 7 h- 2 2 ofr6o«s^t-^2 

6 0031*^0, IIAvt-->ft60^XRES 2 7 0 tliVS2 1 0 © K fl ft 

2 8 0 T*it K * ft S o fe L fe 5S IS y< 7 -fe - is 2 6 0 £ X R E S 2 7 0 il ^ V y f- f ft «\ 
V S 2 1 Ofii^ifta-v h 2 2 0 t^-lfX^SfiLilj-5o 

[ 0 0 3 4 ] 

& gjj f* a x 7 h 2 2 Ott, idAftiD^Kfta-y h 2 2 0 ii * ? W £ 3 IS * ft tc A 
#^g'Jh-7y2 3 ot7y?Afy^-2 4 oseit?, S^ft-3 0 0 t± fin A # IK 
g[Jh-7y2 3 oiKfSSh*, S^ft-3 0 0 £ =7 y ft hi- y a - 2 4 0 ii © ffi m t± 30 

, »|^t-f 2 6 0, Bg # {b + - ( C K ) 2 9 0, fa # 14 * - (IK) 310, & tf 
U I Mil*- (UAK) 3 2 0 ^%^-rS/cJ6{c*-^^gg2 5 Oid^DfSft^ft^o 
CK 2 9 0fc] K3 1 0 fc(iilf*a^7 F 2 2 Otgl?tl5 0 
[ 0 0 3 5 ] 

Ilfti-7h 2 2 0 t*(i, CR 2 9 0ttIlf-?71/-A (H4ict±Hft*ft) ftBf 
ffttSftfttSM^nS. I K3 1 0ttg«^^gg3 3 0 4^|«f^ 3 4 0«£T 

sfei&tffifflsn^o g«?§ft§§3 3 0 a s ha - i offifiia^t^7i?-i 7 2 6 o© 

M^ftj^T S J; a tiJS^nS. S H A - 1 a 7 a ft Ffg (± I K 3 1 0 fc «fc t) Wffift * 

ft S o 

[ 0 0 3 6 ] 40 

y< -y ^ - ft 2 6 0 S HA- 1 AyJ/ a 8iO|gI7fe8|«f^3 4 Oti, » 

A#ii»j h - 7 y 2 3 o icmm znz>o mxmmm b-o y z 3 07?, m&m^ 3 4 0 1 

UAK3 2 OfcH, i«%4«§ 3 6 0ia!)J81I2n, U I M ^ J -tr- ft ft ft ft -y ( U M 
AC) 3 7 0 ?*«f *if 3 4 OOS»*§jSt8 (generate) 0 S«5eft#§3 6 0 feS 
ftSHA-lAyi/aii^HatSi^tiUUnS, L ^ L S ^ ft d©S|ga^© 
SI K3 1 0i!)tt&L5UAK 3 2 0 * ffi ffl L T W ffi ft * ft & „ 
[ 0 0 3 7 ] 

UMAC 3 7 0 iif|fta^7 h 2 2 Oi:VS 2 1 OitHJn, ^ CI 7' ^ IE ^ ft 3 8 
0 aitoAf ©7^fyf^f^^gIt?o ^ liE ^ ? 3 8 0 lif«|^ 3 4 0 fcUMAC 

3 7 0 ££#£T3il£fc,fc9&!E£jij£-r3 0 ftbDt, ^ II S ? 3 8 Oiillftaz 50 
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y h 2 2 0il^i«M^3 4 O^SfgLT, UMAC 3 7 0 ©9*|StSC tl^ft? 
[ 0 0 3 8 ] 

H5l±HJ8[^jB© — jRffc*n/"ciiK*BI^fS7n — f-^— ht»»S 0 X r -y 7 5 0 Of 

, & ft f* a - y h it m u * m m t s * v -t - s> * n £ -r § „ xt'^soi?, n ft f* ^ 

- *y h tt ADAMS!! h-^y*^ft2L ©ffi-g-tt*- (IK) fcgffif 3 „ X f y 7 5 0 
2 T? , H ft f* a - y V It ft £ 14 * ~ I K * ft 2 b , C C Tf b It & ft f* a =. y V ft M <D m * 

^ - (i ft 2 b t ^ n A 7 F 2 n S (zero-padded) CfctfTtS. 

f± ft * b © -y r -f > 7" S St t X O R * ft 3 o ttt I K^KtSS b*ftS&5ti, 10 
t (D t # tt C © X r V 7° 14 it * ft S C £ * s t? # S 0 X r V 7° 5 0 4 t* , /^FJtlftl 

K it U II * & S i: f 3 ^ -y -fe - 57 <h m IS * ft S „ /<7HSnftI K ii ^ y -tr - s> ii © 3 IS 
a * CD ft , S HAOi^Ayfail^HltSi^tilSSnfcI^^SSSCtU 
f -y 7 5 0 5 T? ID # 5 ft 3 o lllflta, X O R ft © B * t± ^ V * ? ft f« # * 
ft, ^LTfcLfcAnA*ftgiJr--7yfre>cDI K^f Olf-fey a X0B|ifiH-O»O 
2 >S ft £ fSffl t HIT (for further use) & D ?f * ft £ (recalled) Ltfff 

* § o 

[ 0 0 3 9 ] 

fe L fe U I M §g U * - ( U A K ) tffffljnSin'gnff, ?©Syn^7A7n-ti 
Xf 7 7*5 1 OtICfo fcLfcUAKtfteffl3ft&^«fc3T?fcft{f, *0*^D^i7 20 
n - it X r y 7° 5 2 otICy„ 

[ 0 0 4 0 ] 

X f 7 7° 5 1 Of, X r y 7° 5 0 5 <D ID # * ft Tc * y -fe - » An A # Wt Wl h - X y 
s£ fS * ft 3 o X r y 7° 5 l it?, U A K ft fc ft * b t? ft it ft , An A # it g'J h - 7 y f± 
UAK*ISbt/WFtS. ^«;K«nftI KB, 35? © ^ 7 -fe - 57 3 fl -fe y a y <D 
H §£ IE* £SS ii -T 3 H? t , BfilMOftiiC^yEHIShSctS'^tS. X r 7 7 
5 1 2t*, /WHStiftl K ii ID ^ * ft fc ^ >y -fe - ii tt S IS * ft T , m % ft ^ #g lc A 77 
3nS,l*Baii, Xf77"513tSHA-10J;?ft, A-r>alt^IIt? 

±Hii2h8. xr77°5 i 4?, m%&£.&<Dmi]i*ijnxmmmh-'? yfrz&wi 

fta^7 ftiii^tl^o 30 
[ 0 0 4 1 ] 

X r -y 7 5 2 0 T? , ^ C M. # tt * - t± BE ID ^ * ft ^ 7 -fe - * B ID ft ~? % (rehash) fc 
»tffiM?nS. X r v 7° 5 0 5 ^ © ID ^ * ft fc y< -y -tr - 'J it & ft f* a - -y h ft © H 

2cf«ssj8ii:g6h* 1 »s^aftb5t, l)}?nf^7t-?ttXf77 o 5 0 5 

Ol^flS^tSSA^nTfe <fcl/\ Ut 1 ffl © IS n- 14 4 1 — ^ 2 •o © -y a © II t 

^TfflMsn8i5?*nB, * © c © te a 14 + - a v y * is ^ #g <d # ^ ^ n % 3 w 

?«IftSn8J;5lc:SISn*Hi!S;5!S;^. I^H, # -y a X f -y 7 £ o ^ T , ft 

^ 14 ^ - f± s 73 i: «» ft 5 * s b cd , y^mm c { grcitmmm c 2 c^fn^t^7h-7^ 

X(bit-wise)*ft-fin3ftS C fctf T?#S 0 C CD 77 S * ffi ffl L T , 1 O O ft # ft ^ - CD * ^ 

mAmmmh~y-yic£<oft f £-£ti2>zttf>&sr*%>%o 40 

[ 0 0 4 2 ] 

i 5 S^Sf if Itif 2 © a 7 -7 a Xr 7 7°^))llAf iSJ h - ? y ? U A K M L t 
H ff * ft S H ffi © f H ^ & 3 d i: f± a B 2 ft ft fcf ft 6 ft ^ o 
[ 0 0 4 3 ] 

H 5 £fHiS*ft/c®attTIHcDS£ «fc D S^WidfHiE^ ft 3 d i: 3^ T? # S : 
HMAC (x)=F token ( U A K , F moblle (IK, x)) 

CCTfF, ( ) (ifiiYfifT?nfcA77all*gL, xftM^7t-7^IL, U 
A KStf I K D , fbtnyvBIg^Ifo 

[ 0 0 4 4 ] 

C DMA77f iSfttiG SM7Xf itfe^TfJf^n, $ft R - U I MSftliU S I 50 
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M £ a U M A C M£ T 3 £ 5 £ M £ ft 3 d i: ^ T~ # , T ft t3 ^5 , gpft # a - y h 
£ «fc D 18 £ * ft £ * >y -fe - is tt Bf # f b * ft T , SB«ns, b L ft , ^ © £ d ft 
h-^yft©ffi7iM:i--y f a ps s £ ft ff 3 © t? , ft§©HSfiJBtB*ISSfi"r«ci:tfS 
SLi^tanf, ::T?Il5eoi»ii, Kft ^ -y t-^ostfg^tl ^ffc^ftr 
U II * ft 3 £ 5 £ ^ -yb - V 7 Is - A £ # J 9 3 T 5 ft S o ffl fcf , t"'jy^ If IS * ft C? ^ 
-y -tr - 7 1/ - A fi , # sf x • ^ ^ n - F * £ £y ^ -y -fe - is y u - A £ D fc , ft to * ft ft 

s^ffifco^r, £ d # < OiSssttstt So ±ot> n»f*a - y h a e y y ?m 
Atigfioi D'h^^i^^ii!] sis d ttftsSo to a # is m F - * ^ & d ft 5 © 

« * ft- It * ft * y -fe - S> e. f§ £ * ft g « ft *t * § m f S £ , C PUB#i«ifli: 
{\ffin*ftfcMSffi©a^©M»*4S , rS (assess) tfctfft, ^ L Tl< I* t it ? tl 
/:i«i^£SLT«^-^g«i^l*^gt§i:t^?t5„ ft fc> D £ , H ft f* ^ - ~y 
F f± » A # il g'J F - * > £ " M m ft " i*ifOS4glt3<t5tyn^7i3n8i: 
tfft'tSo IlRW-^i«i^fSt©<:©7:Sli, to A#M F - * y©Sttit^f*i 
?M f <5 d i: £ £ D to A # li ffl F - 7 > © a * * m to * * 3 o 

[ 0 0 4 5 ] 

iij nfcmmmmn, taxmnwi f-7 yt^mw^- v hicBoiDg^ftfiKt 

ransaction) *SSt« C £ A 5 , to A # © P ffi © ft PS © ft ^ ffi ffl * BS <* o ^WiW^=- 
v KilSOUA K ©MIS b £ a-#g««^£^£7? §ft ^© ?7 n - ? . x ;!/ 1 
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LOCAL AUTHENTICATION IN A COMMUNICATION 
SYSTEM 



BACKGROUND 




10 II. Background 

The field of wireless communications has many applications including, 
e.g., cordless telephones, paging, wireless local loops, personal digital 

A particularly important application is cellular telephone systems for mobile 
15 subscribers. As used herein, the term "cellular" system encompasses both 

over-the-air interfaces have been developed for such cellular telephone 
systems including, e.g., frequency division multiple access (FDMA), t ine 
division multiple access (TDMA), and code division multiple access (CDMA). 

been established including, e.g., Advanced Mobile Phone Service (AMPS), 
Global System for Mobile (GSM), and Interim Standard 95 (IS-95). In 
particular, IS-95 and ils derivatives, IS-95A, IS-95B, ANSI J-STD-008 (often 
referred to collectively herein as IS-95) and proposed high Jata-rate systems 

25 loi data, etc. ar» pioin Jyalud by lire Ttilc-cijciiiu'iicv.lroii Industry Association 
(TIA) and other well known standards bodies. 

Cellular Lebjliune systems con iyured in accordance with the use of 
the IS-95 standard employ CDMA signal processing techniques to provide 
highly elficient and robust cellular telephone service. Exemplary cellular 

30 telephone systems ont in - i l i I it in / th the use of the 
IS-95 standard are described in U.S. Patent Nos. 5,103,459 and 4,901,307, 
which are assigned to the assignee of the present invention and incorporated 
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by reference herein. An exemplary system utilizing CDMA techniques is the 
cdma2000 ITU-R Radio Transmission Technology (RTT) Candidate 
Submission (referred to herein as cdma2O00), issued by the TIA. The 
standard for cdma2000 is given in the draft versions of IS-2000 and has been 
5 approved by the TIA. The cdma2000 proposal is compatible with 1S-95 
systems in many ways. Another CDMA standard is the W-CDMA standard, 
as embodied in 3" Generation Partnership Project "3GPP". Document Nos. 
3G TS 25.21 1 , 3G TS 25.212, 3G TS 25.213, and 3G TS 25.214. 

Given the ubiquitous proliferation of telecommunications services in 

10 most parls of the world and the increased mobility of the general populace, it 
is desirable to provide communication services to a subscriber while he or she 
is travelling outside the range of Ihe subscriber's home system. One method 
of satisfying this need is the use of an identification token, such as the 
Subscriber Identity Module (SIM) in GSM systems, wherein a subscriber is 

15 assigned a SIM card that can be inserted into a GSM phone. The SIM card 
carries information that is used to identify the billing information of the party 
inserting the SIM card into a mobile phone. Next generation SIM cards have 
been renamed as USIM (UTMS SIM) cards. In a CDMA system, the 
identification token is referred to as a Removable User Interface Module (R- 

20 UIM) and accomplishes the same purpose. Use of such an idei ililicaliuri 

which may be configured to operated on frequencies that are not used in the 
visited environment, and to use a locally available mobile phone without 
incurring cos:s in es-ablishin-j a now account. 

25 Although convenient, the use cf such identification tokens to access 

account Information of a subscriber can be insecure. Currently, such 
identification tokens are programmed to transmit private Infoimation, such as 
a cryptographic key used for message encryption or an authentication key for 
identifying the subscriber, to the mobile phone. A person contemplaling Ihe 

30 theft of account Information can accomplish his or her goal by programming a 
mobile phone to retain private information after the identification token has 
been removed, or to transmit the private information to another storage unit 
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Detailed Description of the Drawings 

15 FIG. 1 is a diagram of an exemplary data communication system. 

FIG. 2 is a diagram of a communication exchange between 
components in a wireless communication system. 

FIG. 3 is a diagram of an embodiment wherein a subscriber 
identification token provides encryption support to a mobile unit 
20 FIG. 4 is a diagram of an embodiment wherein a hashing function is 

uswi to generate an authentication signature. 

FIG. 5 is a flow chart of a method to hash a message in order to 
generate an authentication signature. 



25 Detailed Description of the Embodiments 

As illustrated in FIG. 1 , a wireless communication network 10 generally 
Includes a plurality of mobile stations (also called subscriber units or user 
equipment) 12a-12d, a plurality of base stations (also called base station 
transceivers (BTSs) or Node B) 14a-14c, a base station controller (BSC) (also 
30 called radio network controller or packet control function 16), a mobile 
switching center (MSC) or switch 18, a packet data serving node (PDSN) or 
internetworking function (IWF) 20, a public switched telephone network 
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(PSTN) 22 (typically a telephone company), and an Internet Protocol (IP) 
network 24 (typically the Internet). For purposes ot simplicity, four mobile 
stations 12a-12d, three base stations I4a-14c, one BSC 16, one MSC 18, and 



is 12a-1 2d may be any of 



a cellular telephone that is connected to a laptop computer running IP-based, 
Web-browser applications, a cellular telephone with associated hands-free car 
kits, a personal data assistant (PDA) running IP-based, Web-browser 



in a wneless local loop or mel i i em. In the mosl 
embodiment, mobile stations may be any type of comnunica:ion unit. 

The mobile stations 12a-12d may be configured to perfonr 
more wireless packet data protocols such as, for example, the I 



te the IP packets into 
es using a point-to-point protocol (PPP). 

le IP network 24 is coupled to the PDSN 20, the 



and the PSTN 22, and the BSC 16 is coupled to the ba 



aecouarce with any of several <now:i protocols including, e.g., E1, T1, 
Asynchronous Transfer Mode (ATM), IP, Frame Relay, HDSL, ADSL, or 
xDSL, In an alternate embodiment, the BSC 16 is coupled directly lo the 
PDSN 20, and the MSC 18 Is not coupled to the PDSN 20. In another 
embodiment of the invention, the mobile stalions 12a-12d communicate with 
the base stations 14a-14c over an RF interface defined in the 3" 1 Generation 
Partnership Project 2 "3GPP2" . "Physical Layer Standard for cdma2000 
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Spread Spectrum Systems," 3GPP2 Document No. C.P0002-A, TIA PN-4694, 
to be published as TIA/EIA/IS-2000-2-A, (Draft, edit version 30) (Nov. 19, 
1H3S), which is tully incorporated lereir- by reference. 

Du-ing typical operation ol the wireless communication network 10, the 
S r>a=o stations 14a-14c receive an.- demodulate sets of reverse-link signals 
Irom various mobile statiors 12a 1 2d engaged in telephone calls, Web 
browsing, or other data enmmuninarrjons bach reverse-link signal received by 
a given base station Ha-llc is processed within that base station 14a- 14c. 
Each base station 14a-14r. may communicate with a plurality of mobile 

10 stations 12a-12d by modulating and transmitting sets of forwaro-link signals :o 
the mobile stations 12a-12d. For example, as shown in FIG. 1, the base 
station 14a communicates with first and second mobile stations 12a, 12b 
simultaneously, and the base station 14c communicates with third and fourth 
mobile stations 1 2c, 1 2d simultaneously. The resulting packets are forwarded 

IS to tho BSC 1B, which provides call resource allocation and mobility 
management functionality including the orchestration of soft handoffs of a call 
for a particular mobile station 12a-12d from one base station 14a 14c to 
another base station 14a-14c. For example, a mobile station 12c is 
communicating with two base stations 14b, 14c simultaneously. Eventually, 

stations 14c, the call will be handed off to the other base station 14b. 

5 a conventional telephone call, the BSC 16 will 
the MSC 18, which provides additional routing 
ie PSTN 22. If the transmission is a packet-based 
i call destined for the IP network 24, the MSC 18 
will route the data packets to the PDSN 20, which will send the packets to the 
IP network 24. Alternatively, the BSC 16 will route the packets directly to the 
PDSN 20, which sends the packets to the IP network 24. 

FIG. 2 illustrates a method for authenticating a subscriber using a 
30 mobile phone in a wifDl 1 1 I t her travelling 

outside of the range of his or her Home System (HS) 200 uses a mobile unit 
220 in a Visited System (VS) 210. The subscriber uses the mobile unit 220 by 
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inserting a subscriber identification token. Such a subscriber identification 
token is configured to generate cryptographic and authentication information 
that allows a subscriber to access account services without the need for 
establishing a new account with the visited system. A request (note shown in 
5 figure) is sent from the mobile unit 220 to the VS 210 for service. VS 210 

HS 200 generates a random number 240 and an expected response 
(XRES) 270 based on knowledge of the private information held on the 
subscriber identification token. The random number 240 is to be used as a 
10 challenge, wherein the targeted recipient uses the random number 240 ard 
private knowledge to generate a confirmation response that matches the 
expected response 270. The random number 240 and the XRES 270 are 

15 between the HS 200 and the VS 210 is facilitated in the manner described in 
Fig. 1. The VS 210 transmits the random number 240 to the mobile unit 220 
and awaits the transmission of a confirmation message 260 from the mobile 
unit 220. The confirmation message 230 and the XRES 270 are compared at 
a compare element 280 at the VS 210. If the confirmation message 260 a~d 

20 XRES 270 match, the VS 210 proceeds to provide service to the mobile unit 

Mobile unit 220 sends the random number 240 to the subscriber 
identification token 230 that has been inserted Inside the mobile unit 220 by 
the subscriber. A Secure Key 300 is stored on the subscriber identification 

25 token 230. Both the Secure Key 300 and the random number 240 are used 
by a key generator 250 to generate the confirmation message 260, a 
cryptographic Cipher Kay (CK) 290, and an Integrity Key (IK) 310. The CK 
290 and IK 310 are conveyed to the mobile unit 220. 

At the mobile unit 220, the CK 290 can be used to encrypt 

30 communications between the mobile unit 220 and the VS 210, so that 
communications can be decrypted only by the intended recipient of the 
message. Techniques for using a cryptographic key to encrypt 
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communications are described in co-pending U.S. Patent Application 
09/143,441, filed on August 28, 1998, entitled, "Method and Apparatus for 
Generating Encryption Stream Ciphers," assigned to the assignee of the 
present invention, and incorporated by reference herein. Other encryption 




(MAC), wherein the MAC is appended to a transmission message frame in 

10 particular party and to verify that the message was not altered during 
transmission. Techniques for generating MACS are described in co-pending 
U.S. Patent Application No, 09/371,147, filed on August 9, 1999, entitled, 
"Method and Apparatus for Generating a Message Authentication Code," 
assigned to the assignee of the present invention and incorporated by 

15 reference herein. Other techniques for generating authentication codes may 
be used without affecting the scope of the embodiments described herein. 
Hence, the term "signature" as used herein represents the output of any 
authentication scheme that can be implemented in a communication system. 

20 signature 340 based on particular information that is transmitted separately ci 
together with the transmission message. Techniques for generating an 

"Method and Apparatus for Providing Authentication Security in a Wireless 
Communication System," assigned to the assignee of the present invention 

25 and incorporated by reference herein. The authentication signature 340 is the 
output of n h ishi g I s i 1 thai combines the IK 310 with a message 
350 from the mobile unit 220, The authentication signature 340 and the 
message 350 are transmitted over the air to the VS 210. 

As seen in FIG, 2, the cryptographic key 290 and the integrity key 310 

30 are transmitted from the subscriber identification token 230 to the mobile unit 
220, which proceeds to generate data frames for public dissemination over 
the air. While this technique may prevent an eavesdropper from determining 
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identification token 230 that has been electronically coupled with the mobile 



10 unit 220 by the subscriber. A Secure Key 300 is stored on the subscriber 
identification token 230. Both the Secure Key 300 and the random number 
240 are used by a key generator 250 to generate the confirmation message 
260, a Cryptographic Key (CK) 290, an Integrity Key (IK) 310.. and a HIM 
Authentication Key (UAK) 320. The CK 290 and IK 310 are conveyed to the 

15 mobile unit 220. 

At the mobile unit 220, the CK 290 is used for encrypting transmission 
data frames (not shown in FIG. 3). The IK 310 is used to generate a 
signature signal 340. The signature signal 340 is the output of a signature 
generator 330 that uses an encryption operation or a one-way operation, such 

20 as a hashing function, upon the IK 31 0 and a message 350 from the mobi e 

identification token 230. At the subscriber identification token 230, the 
signature signal 340 and the UAK 320 are manipulated by a signature 
generator 360 to generate a primary signature signal 370. The primary 

25 signature signal 370 is transmitted to the mobile unit 220 and to the VS 210, 
where a verification element 380 authenticates the identity of the subscriber. 
The verification element 380 can accomplish the verification by regenerating 
the signature signal 340 and the primary signature signal 370. Alternatively, 
the verification element 380 can receive the signature signal 340 from the 

30 mobile unit 220 and only regenerate the primary signature signal 370. 

The regeneration of the signature signal 310 and the primary signature 
signal 370 at tli Vi I v li herl by a variety of techniques. In 
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can be generated and then be used to generate the primary signature 

The signature generator 360 within the subscriber identification token 
230 can comprise a memory and a processor, wherein the processor can be 
configured to manipulate inputs using a variety of techniques. These 
techniques can take the form of encryption techniques, hashing functions, or 

10 any nonreversible operation. As an example, one technique that can be 
implemented by the subscriber identification token is the Secure Hash 
Algorithm (SHA), promulgated in Federal Information Processing Standard 
(FIPS) PUB 186, "Digital Signature Standard," May 1994. Another technique 
that can be performed by Ihe subscribe! idenlifkatiu.i loken is the Datd 

15 Encryption Standard (DES). promulgated in FIPS PUB 46, January 1977. 
The use of the term "encryption" as used herein does not necessarily imply 



I. Verification can be pe 



25 In a more detailed description of the embodiment above, signal 

generator 330 can be configured to implement a technique referred to herein 
as HMAC-SHA-1. In the embodiment described above, it was noted that a 
hashing function could bo used with.n the s i 1 ien£ tor 330 to generate a 
signature signal 340. A description of hash-based MACs (HMACs) can be 

30 found in the paper, "Keying Hash Functions for Message Authentication," 
Beliare, et al., Advances in Cryptology - Crypto 96 Proceedings, Lecture 
Notes in Computer Science Vol. 1 109, Springer-Verlag, 1996. An HMAC is a 
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MAC scheme that uses a cryptographic hash function, such as SHA-1, in a 
two-step process. In an HMAC-SHA-1 scheme, a random and secret key 
initializes the SHA-1 function, which is then used to produce a digest of the 
message. The key is then used lu i lili jlUe SHA-1 agan to produce a digest 
5 of the first digest. This second digest provides a MAC that will he appended to 
each message. In the embodiment described herein, the integrity key (IK) 
31 0 that is generated by the subscriber identification token 230 can be used 
as the random and secret key initializing SHA-1. FIG. 4 is a flow chart 
illustrating the implementation of the HMAC in the mobile station, which is 
10 initialized by an integrity key from the subscriber identification token, and the 
implementation of the HMAC in the subscriber identification token, which is 

In FIG. 4, HS 200 generates a random number 240 and an expected 
response (XRES) 270 based on knowledge of the private information held on 

15 the subscriber identification token 230. The random number 240 and the 
XRES 270 are transmitted to the VS 210. Communication between the HS 
200 and the VS 210 is facilitated in the manner described in Fig. 1.' The VS 
210 transmits the random number 240 to the mobile unit 220 and awaits the 
transmission of a confirmation message 260 from the mobile unit 220. The 

20 confirmation message 260 and the XHES 270 are compared at a compare 
element 280 at the VS 210. If the confirmation message 260 and the XRES 
270 match, the VS 210 proceeds to provide service to the mobile unit 220. 

Identification token 230 that has been electronically coupled with the mobile 
25 unit 220 by the subscriber. A Secure Key 300 is stored on the subscriber 
Identification token 230. Both the Secure Key 300 and the random number 
240 are used by a key generator 250 to generate the confirmation message 
260, a Cryptographic Key (CK) 290, an Integrity Key (IK) 310, and a UIM 
Authentication Key (UAK) 320. The CK 290 and IK 310 are conveyed to the 
30 mobile unit 220. 

At the mobile unit 220, the CK 290 is used for encrypting transmission 
data frames (not shown in FIG. 4). The IK 310 is used to generate a 
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signature signal 340 from the signature generator 330. The signature 
generator 330 is configured to produce a transformation cf the message 260 
through the use of SHA-1 . The SHA-1 hashing function is initialized by the IK 

5 The signature signal 340, which is the result of the SHA-1 hashing 

identification token 230. At the subscriber identification token 230, the 

generator 360 to generate a transformation ul the of lit* signature signal 340, 

10 which is the UIM message authentication code (UMAC) 370. The signature 
generator 380 is also configured to implement the SHA-1 hashing function, 
However, the function is initialized using UAK 320, rather then IK 310. 

The UMAC 370 is transmitted to the mobile unit 220 and to the VS 210, 
where a verification clement 380 authenticates the identity of the subscriber. 

15 The verification element 380 can a c n i i he ifi n by regenerating 
the signature signal 340 and the UMAC 370. Alternatively, the verification 
element 380 can receive the signature signal 340 from the mobile un'rt 220 
and only regenerate the UMAC 370. 

FIG. 5 is a flow chart illustrating a generalized description of the 

20 embodiment. At step 500, a mobile unit generates a message that requires 
authentication. At step 501, the mobile unit receives an integrity key (IK) of 
length L from a subscriber identification token. At step 502, the mobile unit 
pads the integrity key IK to length b, wherein b is the block size of the hashing 
function of a signature generator within the mobile unit. In one embodiment, 

25 the key can be zero-padded to length h. In another embodiment, the key can 
be XORed with padding constants of length b. If the IK already has length b, 
then this step can be omitted. At step 504, the padded IK is concatenated 
with the message that requires aulhentication. The concatenation of the 
padded IK and the message is then hashed at step 505 by a signature 

30 generator configured to implement a hashing function such as SUA. In one 
embodiment, the output of the XOR operation is saved within a memory 
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challenge; 

generating an initial value based upon a first key from the 
plurality of keys; 

concatenating the initial value with a received signal to form an 
input value, wherein the received signal is transmitted from a 
communications unit communicatively coupled to the subscriber 
lie, and the received signal is generated by the 
lit using a second key from the plurality of keys, the 



2. The apparatus of Claim 1 hashing the in] 

3e with the Secure Hashing Algorithm (SHA-1). 



4. The apparatus of Claim 3, wherein generating the initial value further 
2 comprises adding the padded first key bit-wise to a constant value. 
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